[Samba] password sync program NOT running as user root

Holger Brückner brueckner at net-labs.de
Tue Jun 3 18:58:44 GMT 2003 

Hello *

in my samba installation the unix password sync program is not run as
suer root. instead it runs as the user whw want's to change the
password:

this is a recompiled debian samba_2.999+3.0.alpha23-4 with ldapsam
enabled (no other changes to the debian build script)


# Global parameters
[global]
        workgroup = SVFMG
        server string = %h server (Samba %v)
        obey pam restrictions = Yes
        passdb backend = smbpasswd, ldapsam, tdbsam, unixsam
        passwd program = /etc/samba/ldapsync.pl -o %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*modifying*
        passwd chat debug = Yes
        username map = /etc/samba/usermap

svpdc:/etc/samba# cat /etc/samba/ldapsync.pl
#!/usr/bin/perl -w
$myid = $<;
`echo $myid >> /tmp/ldapsync.debug`;

svpdc:/etc/samba# cat /tmp/ldapsync.debug
1015
1015
1015


[2003/06/03 20:16:40, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(648)
  ldapsam_search_one_user: searching
for:[(&(uid=lorenz)(objectclass=sambaAccount))]
[2003/06/03 20:16:40, 2] passdb/pdb_ldap.c:init_sam_from_ldap(1059)
  Entry found for user: lorenz
[2003/06/03 20:16:40, 2]
passdb/pdb_ldap.c:ldapsam_search_one_group(2187)
  ldapsam_search_one_group: searching
for:[(&(objectClass=sambaGroupMapping)(gidNumber=1005))]
[2003/06/03 20:16:40, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2003/06/03 20:16:40, 3] smbd/chgpasswd.c:chgpasswd(486)
  Password change for user: lorenz
[2003/06/03 20:16:40, 3] smbd/chgpasswd.c:chat_with_program(443)
  Dochild for user lorenz (uid=0,gid=0)
[2003/06/03 20:16:40, 0] lib/util_sock.c:read_socket_with_timeout(275)
  read_socket_with_timeout: timeout read. read error = Input/output
error.
[2003/06/03 20:16:40, 2] smbd/chgpasswd.c:expect(277)
  expect: Input/output error

as you can see it successfully does a ldap lookup for the user account.
samba also states that it will change to uid=0,gid=0. unfortunately that
never seems to happen. teh input /ouput errors are because the test
script doesn't provide the expected output. but the main problem is,
that the switch to uid=0 does not happen, which makes it really
difficult to write a secur password change script. (now i'll have to
make the script world executable to be able to change passwords).

any suggestions ?!?

i can provide further logs if you tell me what you need.

greetings from muc

Holger Brueckner
net-labs Systemhaus gmbH

More information about the samba mailing list